Dusk Before the Dawn

This essay was originally published in the February 2007 edition of the Global Intelligencer.

ePassport Security – is this an oxymoron?

Technology implementations and upgrades happen in all businesses and processes. Planning, testing, involving your customers and careful implementation can alleviate most but not all of the inconvenience caused by the differences and downtimes end-users experience through these changes. In my twenty-plus year career in the technology business, I have been apart of some excellent implementations. But I have seen some disasters as well.

I have also been traveling internationally for twenty-plus years, and am on my second U.S. passport. I usually enjoy travel for business or for pleasure with my family, but I have yet to encounter a passport control line in any country that I enjoyed. The lines are always long, longer still since 9/11.

“ePassport” is the common name for the worldwide project where technology implementation meets international travel to provide more secure access for travelers. As some of the technology is not yet mature, ePassports have also generated concern about personal information, identity theft, and longer delays at immigration.

International travelers around the world should be aware of past and upcoming deadlines concerning ePassports. An ePassport (also called “biometric passport”) differs from previous passports in that it has an integrated computer chip that holds the same information printed on the passports data page, and in most cases contains additional biometric data, such as facial scans and fingerprinting. Before ePassports, passports had at most a magnetic strip that was scanned which contained some minor data such as name and passport number simply to ease the burden of typing in this information.

The U.S. Department of Homeland Security (DHS) says that as of October 26, 2006, any passport issued from a Visa Waiver Program (VWP) country must be an ePassport for VWP travelers to be eligible to enter the U.S. without a visa. There are currently 27 countries participating in the VWP program. Of these, a recent report cited only seven as being ready with ePassports.

In addition, the United States is also beginning to issue ePassports for U.S. citizens, starting this past August from passport offices in Colorado, and extending to other offices in the near future.

Many security experts worldwide are recommending travelers apply for passports soon, before all new passports are ePassports. Bruce Schneier, Founder and CTO of Counterpane Internet Security and one of the leading authors and authorities on cryptography, is one such expert, writing in his recent blog:

In many countries, including the United States, passports will soon be equipped with RFID chips. And you don’t want one of these chips in your passport.

ePassports utilized a technology called RFID (Radio Frequency Identification) which has been in use for many years. RFID is employed in tracking inventory in warehouses, preventing consumer goods from leaving stores without payment and other processes which require tracking items through short distance scanners. As it is a well-documented standard, it is also a target for hackers. In a presentation at last years’ DefCon security conference, Lukas Grunwald, who works for a German security company, not only discussed six different types of Generic RFID “hacks” but also demonstrated one of these for the audience with off-the-shelf equipment and open source software. Computer security experts have also demonstrated the ability to build a short-range RFID reader from off-the-shelf parts and software, and use it in “brush-by” readings, where the contents of an RFID object such as an ePassport can be read by simply walking close enough to the person carrying it. For an example of one of these and more information on building these scanners, see Adam Laurie’s excellent site RFIDiot (http://www.rfidiot.org).

Some of the ePassport implementations are protected with a security key (think password or passphrase). But, because the information in the ePassport must be conveniently read by scanners all over the world, many of the security keys are derived from the visible data on the passport. This makes the readers work, but it also makes cracking the key a simple matter of scanning the data and using enough computer horsepower to determine the code from that data.

These implementations are certainly not without controversy and implementation issues.

In a report released this month (February 2007) from the UK’s National Audit Office (NAO), the longevity of the chips used in the ePassports was questioned. While passports are issued for ten years (in both the U.K. and U.S.), the manufacturer of the RFID chips for the UK ePassports is warranting them for only 24 months.

Both the United States and the United Kingdom have stated that the ePassports will still be valid even if the chips fail. This has caused many in the Internet community to recommend methods of disabling the chip from microwaving the ePassports (which is some tests have resulting in destroying the entire ePassport in flames) to using a hammer to smash the chip. Since tampering with your passport is unlawful in most countries, you may want to employ protective covers that are supposed to block un-wanted RFID scans. Mr. Laurie evaluates a couple on the above mentioned RFIDiot site (http://rfidiot.org); or you could simply wrap your passport in aluminum foil, as has been recommended by many.

The U.K. NAO report also questioned the efficiency of the RFID readers, stating that the guaranteed read time is eight seconds. Though these readers are not yet fully deployed, it brings response time concerns to airport officials already dealing with long security lines.

For cost purposes, memory size in the chips was sacrificed in some implementations. This implies that only a small amount of biometric data can be placed on the current ePassport. It further implies that a technology upgrade (i.e., exchanging your ePassport for a newer model) will be required to fully implement the amount of biometric data (facial scans, all ten fingerprints) that some governments desire.

ePassports also raise additional personal privacy concerns for people who wonder what is contained on the chip inside the ePassport. With previous passports the holder’s information was visible (with the exception of information contained on a magnetic strip). To ease this concern, some countries (Holland, for example) are installing public readers so that citizens can read the information contained on the chip.

In addition to Mr. Schneier’s blog and newsletter and Mr. Laurie’s website noted above, the following links lead to information about the new ePassports:

• International Civil Aviation Organization, the body that sets international standards for machine readable travel documents (MRTDs);
• U.S. Department of Homeland Security details on Visa Waiver Program passport requirements;
• UK Passport Service information page on http://www.passport.gov.uk/general_biometrics.asp